I'm trying to move an VSTS/DevOps instance from one azure environment to another. Is this possible and if it is how do I do this?
So for example Azure environment "A" owned by me has resource group "mydevops" with "devops" instance.
I want to move this to Azure environment "B" which is owned by a different person/account perhaps if needed including resource group.
You need following permission to link and unlink Azure Subscription:
Project collection administrator or organization owner permissions
The owner or contributor role on your Azure subscription
So you need to have the owner or contributor role on both Azure A and Azure B to do this. Ohterwise, you need to add Azure B's owner to your Azure Devops account and give him PCA permission and ask him to link the subscription.
Related
This is a question regarding the setup we have with our azure sentinel instance its only visible to the global admin that set it up and not to other global admins .So how do I as the second global administrator get to see the azure sentinel instance , log analytics workspace and resource group ? As at the moment I can only see the subscription .
A global admin does not necessarily have access to all Azure Subscriptions.
I guess Sentinel was created in a subscription where your account does not have access.
Ask your other global admin to add you to the subscription/resource group, or you can gain access this way.
https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
there is use-case I am looking for solution. Assume I am assigning RBAC - Owner role to user(xxx) at subscription level. But now I need to exclude this permission to one of the resource group under this Subscription. Is that feasible?
No. Azure RBAC permissions cannot be removed like that.
Owner at subscription level means Owner on all resource groups and resources under it.
You need to assign the roles at resource group level if you want to restrict them there.
The other option is to separate the resources to a different subscription.
Im this scenario I'm hosting several resources for several projects in one azure tenant.
Additionally I have multiple azure subscriptions with corresponding resource groups per project:
Azure Subscription A -> Resource Group A -> VMs, DNS, Bastion Host... for project A
Azure Subscription B -> Resource Group B -> VMs, DNS, Bastion Host... for project B
Azure Subscription C -> Resource Group C -> VMs, DNS, Bastion Host... for project C
In the Azure AD I would like to create groups like Project A, Project B, Project C and grant them role permissions to the dedicated resource groups.
But unfortunately if I grant the role Contributor this also includes the permission of the subscription to add new services. I just want to enable them to manager their resources (access the vm through bastion host) without givin them permission to add new services.
We can restrict the user not to create the resources in the resource group in two ways,
You can grant contributor permissions to each individual resource,
that way user won't be able to create new resources, only modify
existing ones (he would be able to delete resource).
Combination of RBAC and AzurePolicy.The users that have
assigned contributor access have access to all resources in their
resource groups. In Azure Policy you can use a policy like
Allowed resource types, Not allowed resource types, Allowed location
will enable you to specify the resource types that your organization
can deploy.
There is a similar scenario that you can find here.
I'm trying to remove the permission to the user on my azure tenant to create a new subscription.
The only way a find is the but the GlobalReader role in active directory when I create the user.
But with this method, the user can see the active directory same I block it with users' permission.
I also try to create a rbac in my tenant root in my management group. But when I but a reader role the user can create a new subscription again.
Azure RBAC just for control Azure subscription resource access here, it will not work for Azure subscription creation.
For creating Azure subscriptions ,based on this official doc, only users who have billing roles:
Invoice section owner , Invoice section contributor , Azure
subscription creator
Will be able to create Azure subscriptions.
Billing roles belongs to your billing account . This doc describes the relationship with billing account with your subscriptions well.
Hope it helps .
I am assigned an owner role in my Employer's Azure subscription. He was able to create resource groups, but I can't. We're both wondering why since I was already assigned as Owner, the highest role aside from subscription level.
When I try the az group create --name myGroup -l southeastasia command, its response is
The client 'live.com#<myAccount>#outlook.com' with object id '<object ID>'
does not have authorization to perform action 'Microsoft.Resources/subscriptions/
resourcegroups/write' over scope '/subscriptions/<subscription>/resourcegroups/<myGroup>'.
Edit: I have no subscription level resources
Do you have multiple subscriptions in your tenant? If yes, you should set it.
##list subscription
az account list --output table
##change the active subscription
az account set --subscription "My Demos"
If you only have a subscription, I suggest you could create a sp, then use the sp to create a new resource group. See this link.
Update:
You should give Owner role on subscription level, according to your screenshot, you give Owner role on resource group role, you only create resources in the resource group. You also could not create new resource group. You should give Owner role to your subscription,like below:
Note: This issue is more likely to happen in newer subscriptions and usually happens if a certain resource type has never been created before in that subscription.
Subscription admins often fix this issue by granting resource group owners contributor rights on the subscription level which contradicts with their strategy of isolating access down to the level of resource group level not the subscription level.
For root cause and quick resolution, refer "Common problem when using Azure resource groups & RBAC".
Well, the error clearly says you dont have rights over the scope, so you are either owner of the wrong sub or you have a role that specifically restricts that.